LastPass lax browser security settings

Forums › Desktop computing › LastPass lax browser security settings

MartinGZ

376 posts

Ultimate Geek
+1 received by user: 128

Subscriber

#275727 6-Sep-2020 18:27

I’m under pressure to change to a more user friendly password manager from my favourite of many years KeePass, so I’m trialling LastPass as it seems to be in the top five of most reviews.

It concerns me that the default browser settings are pretty lax and leaves local security open to abuse and it makes me wonder it there are other things I should know about. Using the Windows 10 environment, not an issue in Android as it works through the app. Don't know about iOS.

My issue:

By default, the LastPass browser extension allows the LastPass user to always be logged in and active when the browser is closed and then restarted.

Even if you shutdown and restart the computer, then LastPass is active and ready to go. Yes, I can change this to be more secure, but with limitations. And yes, this is only an issue if I leave my logged in computer unattended and a shifty character comes along, and yes I can log out of LastPass, but I cannot control others. But as a password manager shouldn’t it be more secure than this? I don’t really think this is a case of Tin Hats, this is supposed to be a secure password manager after all.

Details.

There is no global control of this setting in the account settings, it needs to be changed in each browser extension. We only have 3 household computers, with an average of three browsers each, others will have more. Hmm.
LastPass browser extensions options are not password protected (I don’t even know if this is possible), so even if you set the extension to logout of LastPass when you close the browser, Mr Shifty can all ways change this option if they happen to use your PC. You don’t even need to be logged into LastPass to change the extension settings.
In the global account advanced settings, you can fine control when you are prompted for the master password, but invoking any of these mean you basically need to re-enter your master password all the time making things pretty unworkable. Fortunately, as far as I can see the master password is required to implement any of these changes – I see even versions from last year had this as an option, not mandatory.
This has been around a while, e.g. post starting 2016 https://forums.lastpass.com/viewtopic.php?f=12&t=230475&hilit=browser+extension&start=10

As it stands, it could work in my environment, but given the above has little to offer over KeePass on the desktop. Can't say I'd recommend it to many of my friends.

Nokia 6110, 6210, 6234, Sony Ericsson XPERIA X1, Huawei Ideos X5 (Windows Mobile), Samsung Galaxy SIII, LG G4, OnePlus 5, iPhone Xs Max (briefly), S21 Ultra. And I thought I hadn't had many phones - but the first one around 1997.

jarledb

Webhead
3319 posts

Uber Geek
+1 received by user: 1983

Moderator

ID Verified

Trusted

Lifetime subscriber

#2558025 6-Sep-2020 18:33

You might want to check out 1Password, it does not behave the same way you describe LastPass does.

Jarle Dahl Bergersen | Referral Links: Want $50 off when you join Octopus Energy? Use this referral code
Are you happy with what you get from Geekzone? Please consider supporting us by making a donation or subscribing.

voltuard

36 posts

Geek
+1 received by user: 8

#2558029 6-Sep-2020 19:30

Swapped out Lastpass for Dashlane at the beginning of the year and am happy. Lastpass was getting more annoying to use and they didn't seem very quick to update and improve their software.

mentalinc

3384 posts

Uber Geek
+1 received by user: 1023

Trusted

#2558039 6-Sep-2020 19:50

Why are you no longer using keepass?

CPU: AMD 5900x | RAM: GSKILL Trident Z Neo RGB F4-3600C16D-32GTZNC-32-GB | MB: Asus X570-E | GFX: EVGA FTW3 Ultra RTX 3080Ti| Monitor: LG 27GL850-B 2560x1440

Quic: https://account.quic.nz/refer/473833 R473833EQKIBX

freitasm

BDFL - Memuneh
80657 posts

Uber Geek
+1 received by user: 41068

Administrator

ID Verified

Trusted

Geekzone

Lifetime subscriber

#2558043 6-Sep-2020 20:06

MartinGZ:

By default, the LastPass browser extension allows the LastPass user to always be logged in and active when the browser is closed and then restarted.

This is not the default. If you check the box to keep it logged in, LastPass will actually show you a notice saying this is bad and asking for confirmation.

Referral links: Quic Broadband (free setup code: R587125ERQ6VE) | Samsung | AliExpress | Wise | Sharesies

Support Geekzone by subscribing (browse ads-free), or making a one-off or recurring donation through PressPatron.

MartinGZ

376 posts

Ultimate Geek
+1 received by user: 128

Subscriber

#2558101 6-Sep-2020 21:08

mentalinc: Why are you no longer using keepass?

The desktop version is fine. I don't find it too nerdy, others that need to be kept happy do. I've never been happy with the use of 3rd party addons for android and that version is lumpy anyway.

freitasm:

This is not the default. If you check the box to keep it logged in, LastPass will actually show you a notice saying this is bad and asking for confirmation.

LastPass was a fresh install this morning and it was the default. I downloaded and used the full Windows installer that does all browser options. I hadn't used in Google Chrome yet so just checked the extension options without logging in. The defaults were unchecked. I hit the Restore General Defaults button and the results are shown in this image

@jarledb and voltuard. Thanks for the suggestions of 1Password and Dashlane, I'll try them out over the next few days.

As I run Norton 360, I've just been experimenting with Norton Password Manager - last time I tried it was in 2014 and it was dreadful. Although it certainly doesn't have the bells and whistles, it seems to perform pretty well and handles first time, logins that i couldn't train LastPass to do. Whether it's flexible enough for me remains to be seen.

freitasm

BDFL - Memuneh
80657 posts

Uber Geek
+1 received by user: 41068

Administrator

ID Verified

Trusted

Geekzone

Lifetime subscriber

#2558102 6-Sep-2020 21:10

The option is when you login to remember password - uncheck that and it should not keep the session.

Norton 360 is good but Norton Password Manager doesn't have a sharing/recovery option - this is something I really use on LastPass.

Referral links: Quic Broadband (free setup code: R587125ERQ6VE) | Samsung | AliExpress | Wise | Sharesies

Support Geekzone by subscribing (browse ads-free), or making a one-off or recurring donation through PressPatron.

Lego

Shop now for Lego sets and other gifts (affiliate link).

mentalinc

3384 posts

Uber Geek
+1 received by user: 1023

Trusted

#2558103 6-Sep-2020 21:11

Keepass2Android works well app wise. can use it to do the autofill android thing.

on Windows, you can use a few different options for auto complete integration.

CPU: AMD 5900x | RAM: GSKILL Trident Z Neo RGB F4-3600C16D-32GTZNC-32-GB | MB: Asus X570-E | GFX: EVGA FTW3 Ultra RTX 3080Ti| Monitor: LG 27GL850-B 2560x1440

Quic: https://account.quic.nz/refer/473833 R473833EQKIBX

dt

1152 posts

Uber Geek
+1 received by user: 371
Inactive user

#2558126 6-Sep-2020 22:07

voltuard:

Swapped out Lastpass for Dashlane at the beginning of the year and am happy.

Have also been using Dashlane for a couple of years now, like it so much that my last renewal I bought the 5 year licence

includes a few cool features like 1 click password changer for supported sites, dark/deep monitoring for listed emails that are involved in breaches, VPN included (only when using the desktop app) and to me the interface is heaps more polished and newbie friendly than the other top 5 competing products

If you work it IT and have remote server access it also integrates into remote desktop manager

MartinGZ

376 posts

Ultimate Geek
+1 received by user: 128

Subscriber

#2558131 6-Sep-2020 22:18

freitasm:

This is not the default. If you check the box to keep it logged in, LastPass will actually show you a notice saying this is bad and asking for confirmation.

Ah, I think we are at cross purposes, easily done. I think you are referring to the following screenshot, and as you can see the remember password box is unchecked. I can't think of a good (any?) reason one would have that checked.

The checkboxes I refer to are within the browser extension options. In Firefox it's: Hamburger/Add-ons/Extensions/LastPass/Options.

My reading of it is, that in effect, the check boxes I refer to have exactly the same effect as ticking the one you refer to. One has no security warning, the other one does. That's just bad software and security design.

@mentalinc. That's the android app I use, but just find it a bit clunky. It was nice that they added biometric login though, entering long complicated passwords on a phone is not an enjoyable task. As for the windows addons, there are dozens and long ago I decided that I was not expert enough to know the security profile of any of them. One would hope that they'd get kicked off the main KeePass website if there were misuses, but who would know, many of them are not open source (and do they ever get checked anyway). It went into the too hard basket.

allio

895 posts

Ultimate Geek
+1 received by user: 529

#2558497 7-Sep-2020 12:05

Highly recommend Bitwarden if you're still checking out alternatives. It shares the first issue in your first post (i.e. you need to configure the addon for each browser/computer) but the others aren't an issue. Overall I've found the security options in the browser addon to be very sane, secure and sensible. You can't change any setting without being logged in and unlocked. Mine is set to lock the vault after an hour and I unlock it by entering either a PIN or my master password, but you can make it as secure as you like. If you want, it can fully log you out after one minute and require you to enter both your master password and 2FA key to use it again.

You can set the browser addon to never log out/lock if you want (something that's inherently insecure, though no worse than the default behaviour of all internet browsers) but that's not the default behaviour and it gives you a stern warning if you enable it. I did just try and while your vault has to be unlocked to change the setting, it doesn't require you to re-enter your master password to change the locking behaviour. I guess that's a security risk if anyone uses your device, but if you allow someone to use your device while you're logged into your password vault then you have bigger concerns than them changing your addon settings.

Bitwarden's free plan is also far less limited than most competitors (all it's really missing is TOTP support) and the premium plan is super cheap. Plus you can self-host a server and get all the premium features for free. I really like it.

MartinGZ

376 posts

Ultimate Geek
+1 received by user: 128

Subscriber

#2559695 7-Sep-2020 16:03

allio:

I did just try and while your vault has to be unlocked to change the setting, it doesn't require you to re-enter your master password to change the locking behaviour. I guess that's a security risk if anyone uses your device, but if you allow someone to use your device while you're logged into your password vault then you have bigger concerns than them changing your addon settings.

You or I may not make that error, but others will. A piece of security based software should not allow user error by default.

A silly example. I used to carry out energy audits, and one night audit was the HQ building of a security company (not in NZ). Bare in mind this was 25+ years ago when online security wasn't such an issue. As usual, loads of things running that should not have been, including 30% of the computers. Curious, I checked, and of those still on PCs, 25% were still logged in! At the time I was sole occupant of the building. At other times there would have been cleaners, repair people etc. Needless to say I reported this in the morning (not least to cover my backside), and systems instantly changed. Even people who should know better make dumb errors.

Lenovo

Shop now for Lenovo laptops and other devices (affiliate link).

allio

895 posts

Ultimate Geek
+1 received by user: 529

#2559922 7-Sep-2020 20:52

MartinGZ:

allio:

I did just try and while your vault has to be unlocked to change the setting, it doesn't require you to re-enter your master password to change the locking behaviour. I guess that's a security risk if anyone uses your device, but if you allow someone to use your device while you're logged into your password vault then you have bigger concerns than them changing your addon settings.

You or I may not make that error, but others will. A piece of security based software should not allow user error by default.

A silly example. I used to carry out energy audits, and one night audit was the HQ building of a security company (not in NZ). Bare in mind this was 25+ years ago when online security wasn't such an issue. As usual, loads of things running that should not have been, including 30% of the computers. Curious, I checked, and of those still on PCs, 25% were still logged in! At the time I was sole occupant of the building. At other times there would have been cleaners, repair people etc. Needless to say I reported this in the morning (not least to cover my backside), and systems instantly changed. Even people who should know better make dumb errors.

Fair enough, and changing that setting probably is an action that should require a password entry. However I think the far greater risk from a bad actor loose in your unlocked vault is that they simply make off with a couple of key passwords, probably by taking photos of them on their phone. Unlike changing the addon settings, that's an immediate threat that you have no way of noticing, and doesn't require them to come back at a later date to take advantage of. Really once someone untrustworthy is using your browser with unlocked vault without you over their shoulder, you've already lost.

If you think it's an error to even offer the option to not log out ever, I completely disagree. It's up to the user to determine the right mix of security and convenience for their own usage. Unlike my laptop, my secure desktop machine (which nobody other than me ever uses) is set to stay logged into my vault indefinitely, and that's how I want it.

MartinGZ

376 posts

Ultimate Geek
+1 received by user: 128

Subscriber

#2559953 7-Sep-2020 21:19

Dashlane and Firefox. Does anyone use this combination? After I installed the extension, Firefox stated that I needed to Reconnect to my Firefox Account and I get emails about a login from a new computer. That seems like a pretty fundamental change being forced on the browser to me. I haven't even created a Dashlane account as yet, the Firefox account is only used to sync bookmarks etc.

KeePass it starting to look good afterall!

allio:

If you think it's an error to even offer the option to not log out ever, I completely disagree.

Nope, my beef is the default settings in security software should be set to secure. It's been a while since I worked in an office, but when I did, I would guarantee that 70% would have gone for a coffee break without logging off. Just an example.

MartinGZ

376 posts

Ultimate Geek
+1 received by user: 128

Subscriber

#2561914 10-Sep-2020 21:19

I've settled on Bitwarden for a longer term trial - thanks @allio. If I like it I'll take the $10/yr subscription.

Tried all suggestions, and in the end it was between Dashlane and Bitwarden. Dashlane has the posher interface, but there were two main reasons I ditched it. The Firefox issue above, and secondly the security hole in the Password Changer. Not that I'd ever use it, and it only seems to be an option in three countries anyway, but it's the company ethos that would allow it to be implemented in that way concerns me.

Other niggles. Both allow copy/paste. I'm not sure Dashlane ever clears the clipboard, even if I logoff and quit the desktop app, the info is still on the clipboard. Bitwarden has a timer to clear the clipboard, but the default setting is 'Never', when is should be a timed value. I can't understand Dashlane's approach, to me it's sloppy. Some would see this as nitpicking, to me it's fundamental.

Thanks everyone for your feedback and suggestions.

allio

895 posts

Ultimate Geek
+1 received by user: 529

#2561918 10-Sep-2020 21:38

MartinGZ:

I've settled on Bitwarden for a longer term trial - thanks @allio. If I like it I'll take the $10/yr subscription.

Tried all suggestions, and in the end it was between Dashlane and Bitwarden. Dashlane has the posher interface, but there were two main reasons I ditched it. The Firefox issue above, and secondly the security hole in the Password Changer. Not that I'd ever use it, and it only seems to be an option in three countries anyway, but it's the company ethos that would allow it to be implemented in that way concerns me.

Other niggles. Both allow copy/paste. I'm not sure Dashlane ever clears the clipboard, even if I logoff and quit the desktop app, the info is still on the clipboard. Bitwarden has a timer to clear the clipboard, but the default setting is 'Never', when is should be a timed value. I can't understand Dashlane's approach, to me it's sloppy. Some would see this as nitpicking, to me it's fundamental.

Thanks everyone for your feedback and suggestions.

Thanks for sharing your evaluation and for letting us know what you settled on. Hope you like Bitwarden - I really think it's an excellent bit of software.